Back to skill
Skillv1.0.1
ClawScan security
Upgrade Cairo Contracts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 2:16 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, internally consistent guide for upgrading Cairo contracts with OpenZeppelin's UpgradeableComponent; it requests no credentials, installs nothing, and stays on-topic.
- Guidance
- This skill is documentation-only and appears coherent and low-risk. Before installing: (1) verify the author/source if you need an official OpenZeppelin guide (registry metadata lacks a homepage), (2) never provide private keys or signing credentials to an agent — if you let an agent execute transactions, keep signing keys off-platform or use a secure signer/multisig/timelock, (3) follow the SKILL.md's suggested safety practices (access control, timelocks, test on devnets, verify class hashes), and (4) note the license (AGPL-3.0-only) if you plan to modify or redistribute the content. If you want higher assurance, ask for the full source or an official OpenZeppelin reference link before relying on this skill for production upgrades.
Review Dimensions
- Purpose & Capability
- okThe name and description match the SKILL.md content: guidance for making Cairo contracts upgradeable via Starknet's replace_class_syscall and OpenZeppelin components. The skill does not ask for unrelated credentials, binaries, or configuration.
- Instruction Scope
- okSKILL.md is documentation and step-by-step guidance (design notes, access-control recommendations, testing checklist). It does not instruct the agent to read arbitrary local files, export secrets, or transmit data to unknown endpoints. It does recommend deploying to devnets for testing, which is appropriate for the stated purpose.
- Install Mechanism
- okNo install specification or code files are present (instruction-only), so nothing is written to disk or downloaded. This is the lowest-risk install profile.
- Credentials
- noteThe skill requires no environment variables or credentials, which is proportionate. Note: the SKILL.md metadata names 'OpenZeppelin' as author but the registry shows 'Source: unknown' and no homepage — verify the provenance if you require an official OpenZeppelin artifact.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system presence. The skill can be invoked autonomously (platform default) but contains only guidance; it does not itself perform upgrades or store credentials.